2

I'm using Botan library now.

I would like to encrypt my files using AES/CBC mode using the PKCS7 padding mode.

The AES/CBC decryption provided by Botan will throw an exception when an error occurs and I'm not sure whether it is vulnerable to the padding oracle attack.

So how should I perform the decryption process to prevent the attack?

Updated:

  1. Even if I don't return the padding error, the file will be left unchanged, which can be known by the attacker.

  2. My codes are as follows: (The iv and key will be set appropriately)

    void encrypt(std::istream &in, std::ostream &out)
{
    try
    {
        Botan::SymmetricKey key_t(key);
        Botan::InitializationVector iv_t(iv);
        Botan::Pipe encryptor(Botan::get_cipher(cipher_mode, key_t, iv_t, Botan::ENCRYPTION), new Botan::DataSink_Stream(out));
        encryptor.start_msg();
        in >> encryptor;
        encryptor.end_msg(); // flush buffers, complete computations
    }
    catch(...)
    {
        throw;
    }
}

void decrypt(std::istream &in, std::ostream &out)
{
    try
    {
        Botan::SymmetricKey key_t(key);
        Botan::InitializationVector iv_t(iv);
        Botan::Pipe decryptor(Botan::get_cipher(cipher_mode, key_t, iv_t, Botan::DECRYPTION), new Botan::DataSink_Stream(out));
        decryptor.start_msg();
        in >> decryptor;
        decryptor.end_msg(); // flush buffers, complete computations
    }
    catch(...)
    {
        throw;
    }
}
Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Arolia
  • 511
  • 2
  • 6
  • 12
  • 1. To avoid a padding oracle attack don't return padding errors. 2. You have not provided how you are using the encryption and that affects whether a padding oracle attack is possible or not. – zaph May 12 '17 at 09:38
  • @zaph Thanks for your reply. I have updated my question. – Arolia May 12 '17 at 12:20
  • No 1 is unclear, an encrypted file without the key is safe. – zaph May 12 '17 at 18:39
  • Use CBC mode with a **random IV**, just prefix the encrypted data with the IV for use in decryption, it does not need to be secret. No need to pass in an IV, let the encryption function Create a random IV. – zaph May 12 '17 at 18:40

1 Answers1

0

Use CBC mode with a random IV, just prefix the encrypted data with the IV for use in decryption, it does not need to be secret. No need to pass in an IV, let the encryption function Create a random IV.

zaph
  • 111,848
  • 21
  • 189
  • 228
  • Does that mean it is my responsibility to protect the file from being tampered by others? – Arolia May 13 '17 at 01:10
  • You need to provide the random IV. If you are concerned with tampering you need to add authentication, you need to provide a use case and threat evaluation, that is who are you protecting against, what capabilities do they have and what is the valued in monetary units or reputation: no encryption is 100% safe but can be real close. – zaph May 13 '17 at 15:30